github.com/kiali/kiali@v1.84.0/business/checkers/peer_authentication_checker.go

github.com/kiali/kiali@v1.84.0/business/checkers/peer_authentication_checker.go (about)

     1  package checkers
     2  
     3  import (
     4  	security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1"
     5  
     6  	"github.com/kiali/kiali/business/checkers/common"
     7  	"github.com/kiali/kiali/business/checkers/peerauthentications"
     8  	"github.com/kiali/kiali/config"
     9  	"github.com/kiali/kiali/kubernetes"
    10  	"github.com/kiali/kiali/models"
    11  )
    12  
    13  const PeerAuthenticationCheckerType = "peerauthentication"
    14  
    15  type PeerAuthenticationChecker struct {
    16  	PeerAuthentications   []*security_v1beta.PeerAuthentication
    17  	MTLSDetails           kubernetes.MTLSDetails
    18  	WorkloadsPerNamespace map[string]models.WorkloadList
    19  	Cluster               string
    20  }
    21  
    22  func (m PeerAuthenticationChecker) Check() models.IstioValidations {
    23  	validations := models.IstioValidations{}
    24  
    25  	validations.MergeValidations(common.PeerAuthenticationMultiMatchChecker(m.Cluster, PeerAuthenticationCheckerType, m.PeerAuthentications, m.WorkloadsPerNamespace).Check())
    26  
    27  	for _, peerAuthn := range m.PeerAuthentications {
    28  		validations.MergeValidations(m.runChecks(peerAuthn))
    29  	}
    30  
    31  	return validations
    32  }
    33  
    34  // runChecks runs all the individual checks for a single mesh policy and appends the result into validations.
    35  func (m PeerAuthenticationChecker) runChecks(peerAuthn *security_v1beta.PeerAuthentication) models.IstioValidations {
    36  	peerAuthnName := peerAuthn.Name
    37  	key, rrValidation := EmptyValidValidation(peerAuthnName, peerAuthn.Namespace, PeerAuthenticationCheckerType, m.Cluster)
    38  
    39  	var enabledCheckers []Checker
    40  
    41  	matchLabels := make(map[string]string)
    42  	if peerAuthn.Spec.Selector != nil {
    43  		matchLabels = peerAuthn.Spec.Selector.MatchLabels
    44  	}
    45  	enabledCheckers = append(enabledCheckers, common.SelectorNoWorkloadFoundChecker(PeerAuthenticationCheckerType, matchLabels, m.WorkloadsPerNamespace))
    46  	if config.IsRootNamespace(peerAuthn.Namespace) {
    47  		enabledCheckers = append(enabledCheckers, peerauthentications.DisabledMeshWideChecker{PeerAuthn: peerAuthn, DestinationRules: m.MTLSDetails.DestinationRules})
    48  	} else {
    49  		enabledCheckers = append(enabledCheckers, peerauthentications.DisabledNamespaceWideChecker{PeerAuthn: peerAuthn, DestinationRules: m.MTLSDetails.DestinationRules})
    50  	}
    51  
    52  	// PeerAuthentications into  the root namespace namespace are considered Mesh-wide objects
    53  	if config.IsRootNamespace(peerAuthn.Namespace) {
    54  		enabledCheckers = append(enabledCheckers,
    55  			peerauthentications.MeshMtlsChecker{MeshPolicy: peerAuthn, MTLSDetails: m.MTLSDetails, IsServiceMesh: false})
    56  	} else {
    57  		enabledCheckers = append(enabledCheckers,
    58  			peerauthentications.NamespaceMtlsChecker{PeerAuthn: peerAuthn, MTLSDetails: m.MTLSDetails})
    59  	}
    60  
    61  	for _, checker := range enabledCheckers {
    62  		checks, validChecker := checker.Check()
    63  		rrValidation.Checks = append(rrValidation.Checks, checks...)
    64  		rrValidation.Valid = rrValidation.Valid && validChecker
    65  	}
    66  
    67  	return models.IstioValidations{key: rrValidation}
    68  }